In ACE load balance we are facing kerberos authentication issue. When we are accessing a server directly (10.1.8.62) its working fine, But when we are accessing with LB vip address (10.1.4.33) its asking authentication.
How we can resolve this issue.
The configuration as below:
access-list everyone line 8 extended permit ip any any access-list everyone line 16 extended permit icmp any any
probe http HTTP_PROBE port 80 interval 10 faildetect 5 expect status 200 200
rserver host iis1 ip address 10.1.8.61 inservice rserver host iis1a ip address 10.1.8.62 inservice
serverfarm host web rserver iis1 inservice rserver iis1a inservice
parameter-map type http Kerberos server-conn reuse case-insensitive persistence-rebalance set header-maxparse-length 65535 length-exceed continue
sticky ip-netmask 255.255.255.255 address both stickyRule serverfarm web
class-map type management match-any IIS-mgmt 201 match protocol snmp any 202 match protocol http any 203 match protocol https any 204 match protocol icmp any 205 match protocol ssh any 206 match protocol kalap-udp any 207 match protocol telnet any 208 match protocol xml-https any
class-map match-all slb-vip 2 match virtual-address 10.1.4.33 any
policy-map type management first-match IIS-mgmt class IIS-mgmt permit
policy-map type management first-match remote-access class class-default permit
policy-map type loadbalance http first-match slb class class-default sticky-serverfarm stickyRule
I looked at your configuration again and realized that ACE is not learning or doing anything at the HTTP level and hence no statistics. You have sticky based on the L3.
You have mentioned it works directly but through ACE it doesn't. The only difference i see is that client is getting natted here. If you test with only one server in serverfarm, does it work fine? Can you do capture on ACE itself so that we can see the communication between client and ace and server to see what is going on here?
Do you see anything when you do "show conn"? You can filter it with source/vip address. Is there any specific requirement from these servers which needs to be configured on ACE?
Webcast: Evolution of Data Center: From Classic Ethernet to VXLAN
(Live Webcast Tuesday May 15, 2018 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
Register today for this live Cisco Support Community webcast.
Moquery is the command line cousin of Vizore, it's very helpful and efficient sometimes during the troubleshooting. This article aims to provide moquery cheat sheet to the users for some most common seen scenarios.
Here is the troubleshooting checklist which should be ready before customers/partners contact Cisco TAC:
Firmware Version of APIC and Switch
Download Switch and APIC techsupport logs
Problem description (Symptoms with details)